THE OFFICIAL BLOG OF THE SBS DIVA

Just ran BSA on SBS2k3 with SQL and ISA.

Scan date: 03/06/2004 2:11 AM
Scanned with MBSA version: 1.2.3316.1
Security update database version: 2004.6.2.0
Office update database version: 11.0.0.6517
Security assessment: Severe Risk (One or more critical checks failed.)

And obtained the above even after a sucessful installation of

Successful May 28, 2004 Critical Update for SQL Server 2000 Desktop Engine (Windows) on Windows Server 2003 (KB829358)

DO I really want to install what they reccomend?

MS03-031 Cumulative Patch for Microsoft SQL Server (815495) File version is less than expected. [C:\Program Files\Microsoft SQL
Server\MSSQL\binn\console.exe, 2000.80.194.0 < 2000.80.818.0]

PLEASE LET ME KNOW.

Thanks to all the contributors. These pages have been very helpful.

The answer is NO.

All of my testing has been on a newly built sytem using
the March 2004 relase of SBS2k3 and the MSDN Dowload of Premium
CD on May 25,2004

SQL installation succesful
SBSmonitoring Instance Failed. Monitoring was not setup yet
Sharepoint Instance failed.

The system became unstable after this install. Certificates could not be created.
System was rebuilt from backup.

I think something else went on there. There is a timing issue with sharepoint

840685 - An event ID 1000 error message is logged to the application event log when you restart Windows Small Business Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;840685

But patching that instance should not cause your server to fall over like that.

The 840685 Regedit works well. The first install from your Blogs.

The Certificate instability noted is caused by using PPOE aand ISA. When the work-around is finalized it shall be reported.

The recommended BSA patch is older then the patch that had been installed.
SQL2000-KB815495-8.00.0818-ENU.exe Date Published: 8/11/2003 Version: 8.0

SQL2000-KB829358-8.00.0884-ENU.exe Date Published: 1/20/2004 Version: 2000

Therefore the installation fails but only on the SQL Sharepoint Instance
The installation passes on the SQL, SQL SBSMonitoring Instance

SQL SP3A was reinstalled successfully but KB829358 still failed.
No confidence in a successful removal of SQL Sharepoint with Add-Remove becuase of the number of left over entries in registry and elsewhere.

Shavlik also falsely report when scanning a completely up-to-date Windows XP system that I have one missing patch - TOOL03-039, deemed to be critical. This tool is far from critical, and Microsoft even say that it won't be needed unless Nachi and/or Blaster was detected on the system.

I have spoken to Shavlik about this "false positive" and they still insist that it is a needed tool. The alternative suggestion was to ignore this report.

Neither of these are correct.

If the tool isn't critical nor required, Shavlik's HFNetChk Pro should **NOT** report it as critical and missing. This is poor coding. Nothing else.

I am waiting for this to be addressed, and if not, they will be added to the ThreatCode.com site for falsely reporting missing tools. (And yes, it is a tool, not a patch.)

- HiltonT

I disagree Hilton, you do a WU on that system and it will say that it's missing too. Shavlik is just doing what WU would do.

I pushed those down to my machines.

I *always* do a WU, and it has never suggested that tool. Never. Not once.

Actually, Microsoft does not recommend that this tool is installed regardless of its need. If you have a look at http://support.microsoft.com/?kbid=833330 in the "Download and setup information" section you will see where Microsoft clearly states "Note If you use Automatic Updates, this update will be automatically installed if it is needed. You do not have to take any additional action".

I have not found anywhere on the Microsoft website nor in any of their documentation that I have here - including their Security Bulletins - where Microsoft recommends that this tool (it is not a patch, it is a worm removal tool) be installed regardless of whether the computer has previously been infected. If you can find some recommendation by Microsoft, I'd be glad to see it. Shavlik was unable to provide any proof of this.

Shavlik therefore falsely report that this tool is critical and missing. It is neither.

I've seen it on WU.

Yes, but, as per the Microsoft KB article I referenced, this will only appear if the machine had previously been infected by Nachi and/or Blaster. If that is not the case, then Microsoft clearly states that the tool is unnecessary and far from critical.

Shavlik need to learn to read the KB articles more closely, and report the facts, not their version of them.

No I've gotten that on machines that never had either.

I'd rather have the tools there than not there. Sorry but they can stick that KB on my machines. Protection in any form is wise these days.

Hi Susan,

That tool provides no protection. None whatsoever. All it does is remove crud left over after Blaster/Nachi has been disabled.

Also, Microsoft clearly state in that KB that this tool will *only* be offered if one of these two worms has been detected (and removed). No other time will tyhe tool be offered in WU. I'd say, then, that these machines must have been infected and you didn't know it. Microsoft says that is the case, and in this aprticular instance, I believe them. :)

Again, if a tool is unnecessary, then I'd rather not install it. Simple security reasoning here.